From: "Bob Hockney" <[EMAIL PROTECTED]> > > I think he is talking about the password that is written inside the script > > in the mysql_connect statement. I think he is worried that someone could > > access it's code and find out the DB password. > > What I am concerned about is a local user on the server machine, not access through > the web server. It sounds like it can be done if there is a separate user or group for the > web server process, but this site specific. It would be difficult to distribute a program > and use a generalized install routine to install the file containing the passwords to be > edited by the site admin.
If you're on a shared server, then you should ensure safe_mode is enabled and open_basedir restrictions are in effect so the different users are limited to their own directories. Otherwise, yeah, your script is wide open to any other user on the machine that can run a PHP script. This goes for almost _every_ hosting solution out there because not many of them run safe_mode. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
